On 09/03/15 20:39, Stephen Kent wrote:
Eran,
...
In principle that's true, but in practice we have seen many
instances where client software
fails to perform checks established by standards. Thus logs
represent an opportunity to
do a better job (since they are new code) and perhaps help save
clients from bad code.
Can we put the extra checks logs may do in the CtExtensions field of
the SCT? That way the additional checks can be defined in a separate
document.
<snip>
I think the cert type marking and checking info should be included in
the base spec, if only to address the second problem
+1 to Eran's suggestion of using the CtExtensions field, regardless of
whether Steve's proposed cert compliance checks are included in the base
spec or a separate document. I can't think of any better place (than
CtExtensions) in which to put optional fields into an SCT.
Incidentally, +1 to Steve's recent comment...
"The description of the extensions field seems to be inspired by X.509v3.
That's OK, but one needs to define a top-level format for extensions to
ensure backward compatibility (as per v3 extensions)to make this work.
That level of specification is missing here."
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
